Alain FORCIOLI wrote:
> Hi,
>
> I'm looking for informations (urls, documentation, etc.) that can confirm
> the following linux kernel behavior.
>
> It seems that in case of IP fragmentation, linux kernel 2.4.x start to
> send the last ip fragment first. I think it do it to get easier
> calcultation of the total IP packet lenght on the target side.
>
> I have a firewall (commercial and proprietary) that don't accept to
> receive the last fragmented packet first. So as I can't change this
> firewall (sorry) I would like to know if I can modify this kernel
> behavior.

I'm certain that you can modify the Linux kernel so that it sends the first
fragment first. It's just a simple matter of programming: you have the kernel
source, so make the changes and recompile.

However, I'd be suspect of your commercial, propriatary firewall, and would
replace it as soon as I could, if I were you. A firewall that refuses to work
with IP is one that may be faulty in other ways as well. FWIW, IP does not
guarantee the order of fragments under any circumstances, and an IP stack (such
as the one in your firewall) that demands ordered fragments is a broken IP
stack. Your firewall is broken; can you trust that it is doing it's job properly?

> Thanks for your help.
>


--
Lew Pitcher

Master Codewright and JOAT-in-training
Registered Linux User #112576 (http://counter.li.org/)
Slackware - Because I know what I'm doing.